Advertisements

← All guides

How to create a strong password

Most advice about passwords is a decade out of date — all forced symbols and monthly changes. The reality is simpler and more effective: make them long, make them unique, and let something else remember them. Here is what actually protects an account, and why.

Length beats complexity

An attacker who is guessing passwords is racing through combinations. Every character you add multiplies how many guesses they must try, so length is the single biggest lever you have. A short password stuffed with symbols — say eight characters — has far fewer possible combinations than a longer, plainer one. This is why modern security guidance (including the widely referenced NIST standards) now emphasises length and discourages the old "must contain an uppercase, a number and a symbol" rules, which mostly just produced passwords humans cannot remember and machines can still guess.

Why "P@ssw0rd1!" is weaker than it looks

It has an uppercase letter, a number, two symbols and ticks every complexity box — and it is terrible. Password-cracking tools do not guess blindly; they start from real leaked passwords and apply the exact substitutions people always make: a→@, o→0, s→$, a "1!" on the end. Those transformations are built into the standard cracking rules. Predictable complexity is not strength — it just feels like it. Randomness and length are what make a password genuinely hard to guess.

Passphrases: strong and memorable

If you need a password you will actually type from memory, use a passphrase: four or five random, unrelated words strung together, like copper-lantern-drift-walnut. The length makes it extremely hard to crack, while the words make it easy to picture and recall. The catch is the word "random" — a line from a song, a movie quote or a common saying is weak, because attackers test known phrases first. Pick words with no story connecting them.

Try it in your browser

Our Secure Password Generator creates cryptographically strong, random passwords entirely in your browser using the built-in Web Crypto randomness — nothing is ever sent anywhere. Set the length, generate, copy, done.

Open the Secure Password Generator →

Advertisements

The rule that matters most: never reuse

Even a perfect password becomes a liability the moment you use it in two places. When any one site is breached — and sites are breached constantly — attackers take the leaked email-and-password pairs and try them automatically on hundreds of other services. It is called credential stuffing, and it is why a breach at a forum you forgot you joined can cost you your email or bank login. One unique password per account contains the damage to that single account. This one habit protects you more than any amount of added complexity.

Let a manager do the remembering

Nobody can memorise a hundred unique long passwords, and you should not try. A password manager generates a strong, unique password for every site and fills it in for you; you remember only one strong master passphrase. Pair it with two-factor authentication (2FA) on your important accounts — email, banking, and the manager itself — so that even a leaked password alone is not enough to get in. Length, uniqueness, a manager, and 2FA together are the whole game.

Quick checklist

Frequently asked questions

What makes a password strong?

Length and unpredictability. Every extra character multiplies the guesses an attacker must make, so a long password beats a short complex one. Modern guidance favours length and uniqueness over forced complexity.

Is a passphrase safer than a password?

A passphrase of four or five random, unrelated words is both memorable and very hard to crack thanks to its length. Avoid song lyrics or common sayings — attackers test those first.

How often should I change my passwords?

Only when there's a reason — a breach, a shared device, or a suspected leak. Forced periodic changes push people toward predictable variations, so a long, unique password can stay until it's exposed.


Related guide: what is two-factor authentication, and which kind should you use? Or browse all the guides.